HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56425Published Modified CNA CIRCL

CVE-2026-56425: MISP AAD authentication plugin - Improper OAuth State Handling, Missing Session Rotation, Insecure Redirect URI Validation, and Log Injection

The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking. Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication. The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process. The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers. Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records. The fix introduces: * A dedicated cryptographically random OAuth state value. * Single-use state validation and invalidation. * Constant-time state comparison using hash_equals(). * Session identifier rotation after successful authentication. * Enforcement of HTTPS-only redirect URIs. * Sanitized and length-limited logging of OAuth error parameters. AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This CVE covers multiple weaknesses in the OAuth 2.0 authorization flow within the Azure Active Directory authentication plugin for MISP, a threat intelligence platform. A network-accessible attacker with a low-privilege account can manipulate the authentication process, and the attack requires the victim to interact with a crafted link or flow. Successful exploitation enables full read, write, and availability impact on both the vulnerable system and any connected scoped systems, including session hijacking, session fixation, CSRF bypass, plaintext credential exposure, and audit log corruption. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-56425 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including CIRCL and NVD, covering both pulled base images and custom-built MISP derivatives. Any image containing the affected misp/misp package at version 2.5.41 or earlier is flagged automatically inside customer registries and CI pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS v4.0 9.3 (Critical) and surfaces it at the top of each affected environment's finding queue with that rating applied. Per-environment compliance policy weighting is applied at triage time, and the finding is routed to the security inbox or team configured in each customer organization's notification settings.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment MISP or CIRCL ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MISP instance over the network, as the CVSS vector specifies AV:N (network attack vector).

  • AuthenticationRequired

    A low-privilege account is sufficient; the CVSS vector specifies PR:L, meaning the attacker must hold at least one valid low-privilege credential on the target system.

  • Victim interactionRequired

    The attack requires the victim to take an action such as following a crafted OAuth link or completing an authentication flow, as the CVSS vector specifies UI:A (active user interaction required).

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • An attacker who obtains a leaked session identifier can hijack an authenticated MISP session and read stored threat intelligence, events, and user data.
  • Session fixation allows an attacker to pre-set a known session token before the victim logs in and then reuse that token to gain full authenticated access after login.
  • OAuth authorization codes and access tokens can be intercepted in plaintext if a non-HTTPS redirect URI is in use, giving the attacker the ability to authenticate as the victim.
  • Crafted log injection payloads corrupt or forge audit records, allowing an attacker to obscure their activity and undermine forensic investigation.

How HarborGuard Handles This

Available on HarborGuard: every image containing misp/misp at version 2.5.41 or earlier is flagged as Critical on ingestion, with findings routed per each organization's compliance and notification policies. Because no upstream fix exists at this time, HarborGuard monitors the CIRCL advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a remediated version is published; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual action. In the interim, compensating controls worth applying at the network-policy layer include restricting inbound access to the MISP OAuth callback endpoint to known IP ranges, enforcing HTTPS-only redirect URIs at the reverse proxy or load balancer level, and isolating the MISP instance from broad lateral network paths to limit post-exploitation reach on both the vulnerable system and any connected scoped systems.

See how HarborGuard automates this
Affected packages
  • misp / misp
    ≤ 2.5.41
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References